Thursday, August 28, 2008

How the new SBS 2008 Internet Address Management Wizard Works

As you saw from the major differences between SBS 2003 and SBS 2008 post, the SBS 2003 Configure E-Mail and Internet Connection Wizard (or CEICW) was broken into 5 different wizards.  The part that configures your external domain name was brought into this wizard, the Internet Address Management Wizard

Now similar to the 2003 CEICW wizard, everything on the local box is configured to the domain name of your choice, that includes:

  • Remote Web Workplace - IIS is configured to respond to the host header of your domain name
  • Certificate Authority - While the CA is new to SBS 2008 as an "installed by default" component, the specific thing the IAMW does here is configure the website self-issued certificate used to encrypt the traffic between the client and the server, as well as validating the identity of the server to the client.
  • TS-Gateway - Also new to SBS 2008, this is configured to line up with the new domain name as well to allow connectivity to the client computers through the Remote Web Workplace
  • Exchange - Email SMTP connectors, and Exchange authoritative domain names are configured to be the domain name of choice.
  • UPnP Enabled Routers - If your router supports UPnP, ports 25, 80, 443 and 987 are opened to point to the Windows SBS 2008 server.

What's new to SBS 2008, is the ability to configure a Domain Name Provider automatically with your Host Records, Mail Records, Spam Records, and Service Records.  To do this you must use one of our supported providers.  Those providers in alphabetical order are, eNom ,, and  (If your provider is not supported, send them to our partner page!)

So, when configuring a domain name, how does this work?

It's not complicated by any means.  When buying a new domain name, the wizard uses your Internet Connection and sends the Country/Region data you entered during setup to a Microsoft Referral service.  This service responds with the domain name providers you can buy domain names from within your Country or Region. With this data, we are able to show the following page where you can choose which provider to work with:


At this point, there is no further contact with the Microsoft Referral service, and the server communicates directly with the partner of your choice to help you find an available domain name.  If you choose to send the rest of your postal address to the domain provider, they may use some of that data in domain name spinning to help you find an available domain name, and they may also default some of this information into the check-out process, speeding things up a little.

Eventually you will open a web browser with the domain name provider to provide your purchasing information.  Once you have bought your domain, and any other additional services you may want to buy for your server, then you simply return to the wizard and input the newly created (or potentially already existing) credentials with the domain name partner into the wizard.  The server stores them securely in the credential manager for use immediately, and also later.

The wizard will then configure the local box and network, then reach out via a secure API, to the domain name provider and configure an A-Record, MX-Record, TXT-Record (for the SPF), and an SRV-Record (for Outlook Autodiscover).  If the domain name is not ready to be configured (which can often be the case in a migration), the Dynamic DNS client tries every 10 minutes (by default) to update these records, and as soon as the domain name is ready, the records are updated.

Over time, the Dynamic DNS client will keep your A-Record up to date with your current IP address.  This can be customized or disabled (in the Static IP case) via the property page in the Windows SBS console, on the Network Tab, and Connectivity Sub-tab.  However, the Dynamic DNS client also gets information about your domain name, like if it's about to expire, or if your password has changed, and will report it in the Server Report, so you might want to leave that on.

Our current partners, at the time of this post, offer the following domain names.  This is obviously subject to change without notice:

.asia, .biz,, .ca, .cc, .cn,,,, .com,,, .de,, .eu,,, .info, .jp,, .net,,, .org,,,,,,,, .tv,,, .us,,, .vg,, .ws,


.ag,,,, .asia, .at, .be, .cc, .cn,,,,,,, .de, .fm, .tw,,,, .eu, .jp,,,, .ms, .tc, .nu, .vg, .ws, .org, .com, .tv, .net, .biz, .us, .mobi, .jobs, .name


.com, .net, .org, .info, .biz, .us, .name, .de, .uk, .cn,,,

If you already have a domain name, you can transfer it to one of the partners, or just use it! Now you don't have to worry if your DNS records are updated correctly, just look for the green check!

Tuesday, August 26, 2008

SBS 2008 Install Certificate Package Error

Lots of people in our Beta program have been using the Install Certificate Package, and lots of people are reporting an error to install the certificate on their client computer.  When you get this error, the log file that appears in the same directory looks something like this:

8/21/2008 7:12 PM
OS version is 6.
Initial the CDP dialogue.
PC Radio button is clicked.

8/21/2008 7:12 PM
OS version is 6.
Initial the CDP dialogue.
Install the cert on PC.
Opening cert store.
Failed to add cert to the store. Error Code: [-2147024891]
Initial the Finish dialogue.

The key thing to note here is the piece in red.  This specific error code means "Access Denied". 

Due to the fact that Certificates can only be installed by local administrators, you need this type of permission.  That means on Windows XP, you need to be logged into the machine as a local admin, or on Vista, when it prompts you to elevate, you need to provide admin credentials.

Monday, August 25, 2008

Deep Dive into SBS 2008 Monitoring and Reporting

[This post courtesy of Adrian Maziak, Senior Program Manager]

Poking around the newsgroups, and Windows Small Business Server 2008 support communities, we've seen a lot of confusion regarding the new Monitoring and Alerting infrastructure included with the 2008 version of the product.  Adrian wanted to provide some in-depth deep dive into the solution.

In Windows Small Business Server 2003, the Monitoring and Alerting was provided by a Microsoft product called "Health Monitor" or HealthMon for short.  HealthMon was an extremely old application, rectified in the 2003 timeframe for SBS only, but was beyond the end of its development lifecycle.  Impossible to maintain and improve for future versions.  As a result, HealthMon is not included with the 2008 product.

Network Essentials Summary

So let's focus on what we do have.

The heart and soul of the infrastructure is the Windows SBS Manager Service. This service drives a series of tasks including: Report Generation, WSUS Configuration & Update Approvals, Server Backup, Other alerts (Data collection tasks, domain name provider tasks, certificate expiry tasks, licensing tasks), Internal system maintenance (database clean up), and some ad-hoc things like Anti-Spam Safe List updates, and trimming down the Bad Mail directory.

The service is essentially on a timer for 30 minutes.  Every 30 minutes, it wakes up and looks for tasks to do.  What it does depends on the tasks scheduled time and recurrence.  The service queues tasks, and only allows one task to run at a time, so as to avoid conflicts, and minimize any resource hits on the server as much as possible.

The service also supports the Other Alerts function which has a large set of included alerts with the server.  Other Alerts are extensible by using the Windows Small Business server 2008 SDK.  In fact, as I posted earlier, the MVPs have started an Alert Sharing Web Site over on  The scope of Monitoring and Reporting does vary depending on what the host Operating System of the client is, the table below breakouts the level of monitoring and reporting available:

  SBS Server Domain Joined Client 2nd Server & additional Servers
Auto-Start Service Monitoring Yes No No
Key Event Log Entry Monitoring Yes No No
Disk Space Monitoring Yes Yes Yes
Anti-Virus/Anti-Spyware Status Yes Yes No
Host Firewall Status Yes Yes No

The Other Alerts for each computer are displayed on the Computers Tab against each computer, and of course if you specify an e-mail address on the property page of the View Notifications Settings, you will get emailed when an alert fires.

The Other Alerts have two ways to resolve:

  • A Clearing Condition is received
    • For example, Alert ID 1 fires, and shows an alert, if the condition is fixed when Alert ID 2 appears, then the Alert ID 1 is cleared and there is no longer an error
  • A Timeout occurs
    • Many problems are caused by external sources, such as the ISP being down.  So if there is an alert that your DNS record can't be updated, simply waiting until the Internet connection comes back will resolve the alert.  Thus if the Event ID 1 happens once and then never happens again (by default the clearing timeout is 30 minutes, but can be changed alert by alert individually).
  • Note: If you're writing alerts, you cannot use a combination of above.

IMPORTANT: An "Other Alert" created by an Event ID condition may have a latency of up to 30 minutes, based on the Data Collection service runs every 30 minutes.

General Alert Comments

  • Configuring the Alerts to be E-mailed
    • To enable the "Other Alerts" to be directly e-mailed to the administrator, you need to specify the e-mail address(es), simply navigate to the Computers Tab, and click View Notification Settings.  When an "Other Alert" is specified to be an alert, it will be included in the reports and be emailed within the 30 minute window.  Removing an Alert removes it from both as well.
  • An Alert E-Mail may be sent more than once if there is no timestamp for tracking when the condition occurred
    • e.g, service start-ups, disk usage, etc.  These are Windows Management (WMI) based queries and we cannot identify when the condition exactly occurred
    • Items from the Event Log should be generated only once
  • The data for the service is all maintained in a SQL 2005 Express data store.
  • For Troubleshooting, make sure the service is running
    • Additionally check the log files in c:\program files\windows small business server\logs\monitoring\

Gotcha's Using the SBS 2008 Answer File

This blog post comes courtesy of all of the folks that have already gotten into trouble using the SBS 2008 Answer File and "Certificate Authority Name".  Through the beta process, we've found a number of people miss-using the Certificate Authority Name from the Answer File.


The Certificate Authority Name is only used to override the default.  If you leave this blank (which is totally acceptable) you will end up with a Root certificate issued to %DOMAIN%-%SERVER%-CA (e.g. CONTOSO-SBSSRV-CA, for the NETBIOS domain as CONTOSO, and the server name as SBSSRV).

You can override this to be whatever you want EXCEPT your domain name.  Make it "Contoso CA" or "Contoso Web Certificate Authority".... just don't make it "" if that's the domain you will use for your network.

What happens if you do make this mistake? you'll need to use a DIFFERENT domain name inside the Internet Address Management wizard, because this wizard will fail to configure anything certificate related on your network.

If you're not sure what to put in here, just leave it blank.  Oh, and one more thing, if you make something far too long, or use crazy complex characters, then the server ignores your selection and just makes it DOMAIN-SERVER-CA again.

Thursday, August 21, 2008

Windows Small Business Server 2008 RTMs!

Today, at 11:00am, the entire SBS product team crowded into the Ship-room conference room (most likely a fire violation) to sign-off and celebrate the release of Windows SBS 2008 to the wild.  After 3-4 years of sold work on the product, it's time to set it free, time to let it run in the wild.

This has been a HUGE release for this team, of which the following things were accomplished:

  • The team integrated not only across team, but across time zones (China, India, United Kindom, etc)
  • The team integrated multiple companies (OEMs, Domain name providers, etc)
  • The team released 2 private betas, 2 public betas and 2 release candidates
  • The team processed over 2000 pieces of feedback from the community betas
  • The team doubled in size
  • The team continued to fully support SBS 2003, while building a new product, SBS 2008
  • The team dunked our Product Unit Manager in whip-cream.

This is a huge milestone for the product team, we are very proud to reach this point, and we are excited to give you Windows Small Business Server 2008!

Wednesday, August 20, 2008

Windows SBS 2008 - Extensible Alerts!

If you're not familiar with it, Windows SBS 2008 has it's own Software Development Kit, which allows you to extend the security tab, and the Alert infrastructure.  Because of the extensibility of this, our MVPs have started to write their own Alerts, even before the RTM of Windows SBS 2008.

Because they are MVPs and want to share with the community, they have kindly created an SBS Code Plex.  A place for the community to write, and share Alert Add-in's.  If you have an alert that you wrote and find handy, chances are others will as well.  Head on over to download and participate!

SBS 2008 UA Launch!

The User Assistance team here on main campus has been crunching away for a long time on documentation for the SBS 2008 product.  As we get near to releasing the final bits to manufacturing (known as RTM), the UA team has also finished updating all their content on the web. Below are all the primary links you need to know.

Tech Library:

With topics included such as:


Because the documentation is online, it can be updated over time.  The SBS UA team has plenty of content still to add to this document library that should continuously publish over the next several months!

Why is this important to you?  Because when something isn't clear in the UI, we document it.  So why risk making a mistake when you could easily just read the documentation to understand the product, instead of just guess what things are for.  Get familiar, get acquainted, get reading.

Monday, August 18, 2008

Exclusive Opportunity for SBS Specialists and Partners!

While normally I focus on technical tips and tricks, this one cool tip, because if you graduate from the program, a "for resale" copy of Windows Small Business Server 2008 is available to you as a prize!

Ok, so now the details of the deal:

Exclusive Opportunity!  Online Peer Groups for Small Business Specialist and Windows SBS Partners

Microsoft announces Online Peer Groups, a new benefit for current Small Business Specialist partners that took the Windows SBS 70-282 exam.

What are the Online Peer Groups?

The Online Peer Groups are an opportunity for Microsoft partners to learn, share and complete activities designed to improve their business and professional lives. The Content will consist of these six topics over a 12-month period:

  1. Vision, Mission, Values
  2. Business Planning
  3. Sales and Marketing
  4. Budgeting and Finance
  5. HR and Metrics
  6. Vendor Engagement and Wrap-up

The online Peer Groups consist of up to 15 members partners per group.  The meetings are scheduled at uniform times.  Each meeting will focus on practical, useful content and tools that help you improve your business over the upcoming month and beyond. Homework and goal assignments are required and will supplement the learning.  Peer group sharing is also a key part of the best practice exchange and overall learning.

  • Have to be a current Microsoft Small Business Specialist
  • Passed the SBS 70-282 Exam
  • Fluency in English (open to partners worldwide)
  • Commitment to participate includes attending peer group sessions and completion of homework
  • Pay USD $600 for participation (partners that successfully graduate will receive a free ‘for resale’ copy of SBS 2008 Standard Edition)

To learn more or to SUBMIT the nomination form. Form needs to be submitted latest by August 31, 2008 for participation in the FY09 Online Peer Groups. Submitting the form does not guarantee selection. Microsoft and Heartland Technology Groups reserve the right to decline a submission. All peer groups will be conducted in English only.

Thursday, August 14, 2008

Simplify your Favorites Across Computers


I have three different computers I use on a regular basis.  Favorites were useless to me because when I marked something on the web, I never knew if I was going to be using that computer the next time I wanted it.  I discovered Windows Live Favorites

Windows Live Favorites keeps your favorites up on a Windows Live server on the Internet, benefits to that? (1) they are backed up, and (2) they can be synced to each computer you use. It's Easy!

Simply install the Windows Live Tool bar from Get Live on each of your computers, it plugs into IE.  Don't worry, if you're not bought into Windows Live Search yet, you can change the search engine it uses, but Windows Live, it's improved a lot!


Your favorites are automatically synced to the Live Favorite service, and then down to each other computer that has the tool bar installed.  Bingo! just like that, your favorites are in sync across all your computers.

As an added bonus, there are sites, such as ZDNet that allow you to add links directly into your favorites.

But wait! It gets better!

If you use Windows Live Spaces, you can choose which favorites to share with your friends.  You add the Favorite Widget, then the favorites you share are visible to all your viewers.

If anything has simplified my life, it's been the ability to have my favorites on all my PCs...

Wednesday, August 13, 2008

Online Training with the SBS Product Team

The Windows SBS Product team (yes, that's us), are putting together some training demonstrations to learn SBS 2008 from the comfort of your living room, you don't even have to turn off the Olympics!

Get Ready for the Windows Essential Server Solutions Launch with Technical Training Series

The November 12, 2008 launch for Windows Essential Server Solutions is fast approaching!  Prepare by attending Partner Academy Live technical training sessions for Windows Small Business Server 2008 and Windows Essential Business Server 2008 starting on August 15, 9am PDT with “The Small and Midsize Business Server Platform: Which Is Right for Your Customer?”.  Topics include planning and installation, migration, security, management, virtualization, and more for both Windows SBS 2008 and Windows EBS 2008.

The SBS Product Team is coming to your Town!

... Or a town near by.

Below is the schedule, to register for an event, simply click up to the partners web site and register!

City Date
Redmond, WA Saturday, Sept. 6, 2008
Alpharetta, GA Tuesday, Sept. 10, 2008
Charlotte, NC Wednesday, Sept. 11, 2008
Fort Lauderdale, FL Thursday, Sept. 11, 2008
Houston, TX Friday, Sept. 12, 2008
Cincinnati, OH Monday, Sept. 15, 2008
Downers Grove, IL Tuesday, Sept. 16, 2008
Irving, TX Wednesday, Sept. 17, 2008
Minneapolis, MN Thursday, Sept. 18, 2008
South Field, MI Wednesday, Sept. 17, 2008
Waltham, MA Thursday, Sept. 18, 2008
New York, NY Friday, Sept. 19, 2008
San Francisco, CA Monday, Sept. 22, 2008
Irvine/LA, CA Tuesday, Sept. 23, 2008
San Diego, CA Wednesday, Sept. 24, 2008

Monday, August 11, 2008

Wednesday, August 06, 2008

Curious about the SBS 2008 migration process?

Today the Small Business Server User Assistance team has finished writing up the technical documentation for the Migration from both Windows SBS 2003 to Windows SBS 2008, as well as Windows SBS 2008 to Windows SBS 2008.  The documentation is available on the Windows SBS 2003 Technical Documentation Library.

Direct links if you're interested are here:

But wait, there is more, what if you're on site and you don't have access to the web while doing the migration.  The UA team has you covered there with the offline, complete migration help CHM File.

Get familiar, use the Public Beta to practice.

Monday, August 04, 2008

What's Different between SBS 2003 and SBS 2008?

I thought it might be worth doing a post to call out the major things that are different between Windows Small Business Server 2003, and Windows Small Business Server 2008. I thought doing this in a table format might be helpful.  In this table, I'm comparing directly with the 2003 feature set, I am not discussing added functionality or more robust/secure functionality of which is a lot of the extra effort.

In no particular order ...

Windows SBS 2003 Windows SBS 2008
x86 (32-bit) Only x64 (64-bit) Only
Setup asks technical questions and allows you to place data stores in the UI Setup doesn't ask technical questions, if you want some, look at the answer file to enter the migration path, or make modifications to setup, making it more predictable, easier and faster.
Setup asks you technical questions about your router Setup detects routers at 192.168.x.1 and 192.168.x.255 automatically
Windows Firewall disabled Windows Firewall enabled and protecting the server before setup is finished
Can deploy as Edge NAT box, or Single-NIC Deploy's as Single-NIC only, flexibility for any type of router (hardware or software) to be used in front of SBS.
DHCP can be deployed on Router or SBS server DHCP strongly recommended on SBS server, can disable using advanced console only
Post Setup called "To Do" list Post Setup called "Getting Started" List
Administrator account used, but encouraged to be renamed New Administrator account created during setup, and the built-in is disabled out of the box
Configure E-mail and Internet Connection wizard was 27 wizard pages long
  • Connect to the Internet Wizard for outbound connectivity
  • Internet Address Management Wizard for inbound connectivity, which also configures domain names with participating domain name providers
  • Add a Trusted Certificate Wizard for adding certs to the box
  • Configure a Smart Host Wizard for outbound e-mail smarthost configuration
  • Fix-My-Network wizard for continuous re-runs to reset configuration to factory defaults
User Templates Renamed to "User Roles"
Power User can log into SBS administration snap-in with limited tasks Standard User with administration links, gets additional links in Remote Web Workplace for management of Office Live, Connecting to the server, etc.
POP3 Connector was limited for SSL access, should be used for transition tool only. POP3 Connector re-written to support SSL access to mail accounts.  Continues to be a transition tool.
Remote Web Workplace was on/off for all users Remote Web Workplace can be limited to be used for certain users only (all users by default).
Business-card web-site was a white paper solution to host on the local box
  • Integration with Office Live for configuration of Business card web-site
  • Integration with Office Live for hosted SharePoint
  • Integration with Office Live for AdSense advertising
Backup was NTBackup based, support for USB disk drive and Tape Backup is based on new VSS technology, and is much quicker, but no longer supports tape.
Email Reports Daily and Instant alerts from a defined list An extensible list of alerts and daily reports
Security roll-up of the Server only, patch level of clients only. Security roll-up of the server and clients.  Including Firewall Status, AV status, Patch Status, Malware Status, Free Disk space and others!
Windows Server 2003
Exchange Server 2003
Windows SharePoint Services v2
Windows Server 2008
Exchange Server 2007 SP1
Windows SharePoint Services v3
Remote Web Workplace shows all computers to connect to Remote Web Workplace can show all computers, but defaults to a user
Self-Issued Certificate was your responsibility to distribute Handy distribution tool provided that can be taken home on a USB/Floppy drive and installed on remote computers, or windows mobile devices
Single Leaf/Root Self-issued Certificate Root Cert/Leaf Cert combination so renewing the leaf cert doesn't require redistributing the certificate package
No Anti Virus included 120 day trial versions of OneCare for the Server, and Forefront Security for Exchange included.
Folder Redirection is entire network or no one. You can choose which users have their "My Documents" redirected to the server
All files were able to be put on the server You can filter which type of documents are not allowed on the server, such as music files, etc.
Support for Windows 2000 clients and higher Support for Windows XP SP2 clients and higher
Windows Mobile access was always allowed Windows Mobile access can be enabled by user, and devices can be managed through Outlook Web Access.
Two consoles, the Administrators console, and the Power Users console Three consoles, the Administrators console, the administrators console with advanced links, and the MMC console with most native tool consoles already in it.
Single type of CAL Lower price CALs for Standard server & users that aren't using the features in Premium
CALs purchased in 5/25 packs CALs purchased in 1/5/25 packs
User needs to remember links Administrator maintained Vista Gadget for common company links

That's the list I can think of.  If I missed something, feel free to let me know and I will be sure to add it.  Itching to try out the beta? Head over to, and register to provide feedback and participate in the community over at the Small Business Server Connect site.

Friday, August 01, 2008